SCCM remote control and the ”Access this computer from the network” setting

When chasing high-privileged accounts as they are a risk, this is a question I have seen many times. In the Security Compliance templates from Microsoft (even the latest for RS2) the setting “Access this computer from the network” is recommended to be set to “Administrators” and “Remote Desktop Users” which is a good recommendation!

It however also stops SCCM Remote Control to work if you aren’t a member of the Local Administrators or the Remote Desktop Users group, as you are not allowed to connect to the computer even if you are a member of the Permitted Viewers group. Which is not so great as we don’t want those high-privileged accounts to be used to remote control the computer at all and specially in some scenarios. An example would be if a user needs application support, there is no purpose for the person remote controlling the session to be a member of the local administrators group as it is not needed to support the user.

The connection will never complete when the user is not member of a group that is allowed to access the computer from the network as shown below.

The solution is to simply add the SCCM Remote Control group you use to grant permissions to “Access this computer from the network” or add the SCCM remote control group to the Remote Desktop Users group but that would grant them more permissions as well.

Then remote control connection will now be successful even if they are not members of the local administrators group on the client.

My name is Jörgen Nilsson and I work as a Senior Consultant at Onevinn in Malmö, Sweden. This is my blog where I will share tips and stuff for my own and everyone elses use on Enterprise Mobility and Windows related topics.
All code is provided "AS-IS" with no warranties.